tinyvillageuncutfandomcom-20200214-history
Understanding Digital Signatures
Tinkerers Only Please! This is one of the pages we promised so long ago - that may only be of interest to Tinkerers and Game enthusiasts who really want to understand how things work. Maybe you are thinking of writing your own app - and already have some great ideas for your game. But how do you protect your game's most important files from being tampered with by over-enthusiastic gamers? If you leave a door open, someone will walk through! Here we present a brief tutorial on the use of digital signatures or hash algorithms to protect the integrity of your game's files. We will walk through some free or almost free software you can use to make the process of guarding your game files as easy as 1-2-3! Let's Get Started at the Dolphin Spaceship Academy A common technique in client-server games is to send the client (person playing the game) frequent updates as plain text files containing new or revised information about weekly challenges and themes. Often this text file is structured as a JSON array containing such critical information as prices for various game objects, sizes and how long the offer is available. Let's make up a simple game now - how about Dolphin Spaceship Academy for a crazy idea and suppose the premium currency is Pearls, where one pearl = one thousand oysters. Suppose this week, you wish to offer each player some special limited decorations and new weapons for their astronaut-in-training dolphins. Item1: DarkMatterBomb = 10,000 pearls Item2: SpaceBattleSimulator = 1,000,000 pearls Item3: SpaceBarnacleRepellent = 10,000 oysters. To offer these awesome new items, you would create a text file something like this and send it to the client from your game server(s) when the this awesome weekly theme is to start. {"Prices": "pearls": 10000, "oysters": 0 }, {"itemID": "SpaceBattleSimulator", "pearls": 1000000, "oysters": 0 }, {"itemID": "SpaceBarnacleRepellent", "pearls": 0, "oysters": 10000 } } Now all gamers are naturally gifted with an amazing ability to quickly ferret out any shortcuts or loop holes that would give them an edge in playing your game. An enthusiast player might really want that SpaceBattleSimulator for their dolphin academy, but they simply don't have enough pearls to purchase it before the sale is over. What to do? Hmmm, what it we just open up your game file, and reduce that one million pearl price down to something a little more affordable. Say zero pearls! This would lead to an altered file containing the line: {"itemID": "SpaceBattleSimulator", "pearls": 0, "oysters": 0 } Of course this would be great for the player, but terrible for you - the game designer. Fortunately, digital signatures '''offer a reliable way to detect and eliminate the slightest change to any of your game files. The next section explores some common hash algorithms for protecting your game files and will enable you to create digital signatures for all your game files, compare the player's files to the originals and detect any malfeasance with a simple flick of the wrist! What you then decide to do with these miscreants is entirely up to you. MD5 CHeckSum Here we will only look at MD5 checksums and save the SHA-1 hash algorithm for later. As a test example, create a plain text file containing this String from the above '''Dolphin Spaceship Academy game. "SpaceBattleSimulator", "pearls": 1000000, "oysters": 0 } Do no modify the string in any way. It starts with the [ and ends with the ] - and make absolutely certain you do not add a space or a carriage return! Copy it into the clipboard. Add no spaces. Let's store that String in a file called GameFile1.txt Next download the program HashTab for either Windows or Mac. I got mine for $1.99 from the Apple App store, but there are plenty of free alternatives. Using Version 5.1.0 Start up HashTab. In the Settings window check the MD5 option. Then from the File menu, open our file GameFile1.txt. You will instantly see its MD5 nicely dsiplayed as shown below. Fact#1:The File Name Does Not Matter To see how we can use the MD5 checksum to defeat our over-enthusiastic gamer, the first thing to note is that the MD5 sum depends only on the file content and not the file's name! Later, we will use this freedom to include the tag directly into the file's name. As a test, duplicate GameFile1.txt ''' and change the file's name to something crazy like '''WeCanCallTheFileAnything.txt. The two files now contain exactly the same String, but have vastly different names. Yet, when we compute the MD5 checksum - - it is the SAME. Try it! MD5 = 9dc12c381b19395a0be731612539b9a7 Fact#2: Format Matters! Although the name of the file does not matter, the format of the file certainly does - because it affects the content. All our files should be simple plain text files. To illustrate the effects of a simple format change, open the plain text file GameFile1.txt '''in a program such as Word and save it in rich text format - RTF. Now recompute the MD5 checksum and compare. Woops - - you can see it is completely different. The '''format change has also changed the content (in invisible ways). Anyone Can Calculate MD5 Ckeck Sums Example MD5 Calculation for Mac Users You don't need to buy any of the commercial MD5 generators. Both Macs and Windows come with free utilities for this purpose. Here are the steps on a Mac. All you have to do is launch the Terminal and type the md5 command followed by your file's name. 1. Place the file(s) to test in a folder. 2. Open a fresh Terminal window. 3. Use the cd command to c'hange the '''d'irectory to the folder with your files. It is easiest to type '''cd, then space, then drag the file onto the Terminal window. This will fill in the folder path automatically. Remove just the file name which thus leaving the folder path. 4. Use the md5 command to calculate and display the md5 for your file. The $ is just the prompt in the Terminal window. Do not type it. $ md5 GameFile1-9dc12c381b19395a0be731612539b9a7.txt This simple method returns the exact same MD5 as the HashTab app we have been using. I removed the folder path from the output below for clarity. Here is the output. MD5 (GameFile1-9dc12c381b19395a0be731612539b9a7.txt) = 9dc12c381b19395a0be731612539b9a7 Naughty Exercise: As a naughty little exercise, try this on any of the in-game files from any game using MD5 tags. You will see that tag reproduced exactly - unless you have been tampering with the files! Of course then, your bogus file will be detected during startup and your game will not launch until this has been corrected. Example MD5 Calculation for Windows > > Can you help? ''' Simple Tamper Prevention Trick We can use the fact that the file name does not matter to quickly prevent any tampering with our game files. Simply rename the file to include its MD5 tag! So our game file will be called instead: '''GameFile1.txt - - > GameFile1-9dc12c381b19395a0be731612539b9a7.txt You can see by the green check mark that despite this crazy name, the MD5 checksum is the same. Now let's go back to our tinkerer who is hoping to get your game's SpaceBattleSimulator for free. Slyly, while no one is looking, they open up the target file and drop the price down to zero. "SpaceBattleSimulator", "pearls": 1000000, "oysters": 0 } - - > "SpaceBattleSimulator", "pearls": 0, "oysters": 0 } Maybe no one will notice such a simple change. Fat chance! A quick check shows the MD5 is completely different. The red "X" reveals a BOGUS FILE! At the top is the new MD5 after the tinkerer has changed the price. It is not the same as the MD5 from our records shown at the bottom.